webhook-cve-2022-0811
This is a really simple webhook that just blocks pod creation if malicious sysctl values are configured.
Build
go test
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build
Build image an deploy in Minikube
Start minikube:
minikube start
minikube addons enable registry
Build:
podman build -t localhost:5000/webhook-cve-2022-0811:latest .
podman push --tls-verify=false "$(minikube ip):5000/webhook-cve-2022-0811:latest"
Deploy:
cd kustomize/
kustomize build | kubectl apply -f -
Test
Create the following pod:
apiVersion: v1
kind: Pod
metadata:
name: sysctl-set
namespace: default
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "1+kernel.core_pattern"
containers:
- name: test
image: k8s.gcr.io/pause:3.2